Red Hat OpenShift security context constraints

On Red Hat OpenShift Container Platform, this chart requires a SecurityContextConstraints to be bound to the target namespace prior to installation. To meet this requirement there may be cluster scoped as well as namespace scoped pre and post actions that need to occur.

The predefined PodSecurityPolicy name ibm-restricted-scc has been verified for this chart. If your target namespace is bound to this SecurityContextConstraints resource, you can proceed to install the chart.

This chart also defines a custom SecurityContextConstraints which can be used to finely control the permissions/capabilities needed to deploy this chart. You can enable this custom SecurityContextConstraints resource using the the supplied instructions/scripts in the pak_extension pre-install directory.

The OpenShift Container Platform (OCP) provides pod security policies using SecurityContextConstraints (SCC) resources rather than the PodSecurityPolicies (PSP) like all other Kubernetes platforms. SCCs control the actions that a pod can perform and what it has the ability to access. IBM Cloud Private on OCP installations uses SCCs instead of PSPs.

  • From the user interface, you can copy and paste the following snippets to enable the custom PodSecurityPolicy:
    • Custom SecurityContextConstraints definition: 
      apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
  annotations:
    kubernetes.io/description: "This policy is the most restrictive,
      requiring pods to run with a non-root UID, and preventing pods from accessing the host.
      The UID and GID will be bound by ranges specified at the Namespace level."
    cloudpak.ibm.com/version: "1.1.0"
  name: ibm-netcool-gateway-cem-prod-scc
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegedContainer: false
allowPrivilegeEscalation: false
allowedCapabilities: null
allowedFlexVolumes: null
allowedUnsafeSysctls: null
defaultAddCapabilities: null
defaultAllowPrivilegeEscalation: false
forbiddenSysctls:
  - "*"
fsGroup:
  type: MustRunAs
  ranges:
  - max: 65535
    min: 1
readOnlyRootFilesystem: false
requiredDropCapabilities:
- ALL
runAsUser:
  type: MustRunAsNonRoot
seccompProfiles:
- docker/default
seLinuxContext:
  type: RunAsAny
supplementalGroups:
  type: MustRunAs
  ranges:
  - max: 65535
    min: 1
volumes:
- configMap
- downwardAPI
- emptyDir
- persistentVolumeClaim
- projected
- secret
  • From the command line, you can run the setup scripts included under pak_extensions.

    As a cluster administrator, the pre-install scripts and instructions are in the following location:

    pre-install/clusterAdministration/createSecurityClusterPrereqs.sh

    As team admin/operator the namespace scoped scripts and instructions are in the following location:

    pre-install/namespaceAdministration/createSecurityNamespacePrereqs.sh